As you read this, how many browser extensions do you have? They’re a useful way to customise your browsing experience, but they could pose a threat to your privacy and security. If your staff use them (on their own devices for work, or on work systems) browser extensions could put your business at risk.
Here’s what to look for – and how to prevent browser extensions being an open door into your business.
Browser extensions are designed to make life easier when browsing the web, modifying the interface or adding extra functionality. Popular ones block ads, translate text between languages, or add pages to third-party bookmarking apps like Pocket and Evernote. There are thousands available across different browsers, often aiming to boost productivity.
It’s not unheard of for people to be running browser extensions into double digits, particularly in Chrome. But there’s often a price to pay for convenience – including giving away your data. At worst, it could be the gateway to a serious data breach or cyber-attack that could cripple a business. And it’s hard to know what a malicious extension looks like as T&Cs are often complicated, and the majority are created by third-party unknown developers.
When we talk about deliberately malicious extensions, we’re mainly talking about those downloaded from third-party websites. However, some have made it on to the Google Play market recently; a presence there doesn’t mean they’re legitimate.
Researchers recently discovered four ‘sticky note’ app extensions in the Google Chrome Store that were actually generating profit by secretly clicking on pay-per-click ads. How did that work? When you download a browser extension, you are asked to accept permissions. It’s usually a yes / no choice, rather than allowing users to limit what the extensions are able to access.
In theory, browsers including Google Chrome allow users to customise their app permissions, but in practice most users don’t venture deep into the settings. Even basic extensions usually require permission to read and change all data on websites you visit – effectively giving them the power to do anything with your data. If you choose not to grant them that permission, the extension won’t be installed.
It’s not just browsers that present an open door to cybercriminals. Malicious extensions were recently discovered for Facebook Messenger, harvesting users’ data without their knowledge.
Browser extensions look attractive to hackers because of their huge user numbers. If hackers gain access to a popular extension they can add malicious content to an update, with users none the wiser. There’s been a rise in this type of hacking. Recently, hackers used phishing to access the plugin Copyfish to serve additional ads to users.
Extensions are notoriously hard to monetise, so often plugins are simply bought out by companies that then turn them into something users aren’t prepared for. That’s what happened to popular Youtube customizer Particle. Once bought, it was immediately turned into adware.
Browser plugins can be useful, but it’s worth balancing that with the risk of allowing something third-party to ‘read and change’ your data. If you or your staff do need to use extensions, here are few tips to help protect your business:
Need further advice? We’re happy to help. We provide industry-leading cybersecurity and managed services to London’s small businesses. Contact us to find out how we can help keep your business protected.